The Information Commissioner's Office (ICO) recognises the unprecedented challenges we are all facing during the Coronavirus (COVID-19) pandemic.
We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate - if something feels excessive from the public’s point of view, then it probably is.
And the ICO is here to help – please see below for answers to the questions we’re being asked. If you need more help, call us on 0303 123 1113.
During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?
No. We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.
We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.
As a healthcare organisation, can we contact individuals in relation to COVID-19 without having prior consent?
Data protection and electronic communication laws do not stop Government, the NHS or any other health professionals from sending public health messages to people, either by phone, text or email as these messages are not direct marketing. Nor does it stop you using the latest technology to facilitate safe and speedy consultations and diagnoses. Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health. More information for health and care professionals here.
More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?
Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.
Can I tell my staff that a colleague may have potentially contracted COVID-19?
Yes. You should keep staff informed about cases in your organisation. Remember, you probably don’t need to name individuals and you shouldn’t provide more information than necessary. You have an obligation to ensure the health and safety of your employees, as well as a duty of care. Data protection doesn’t prevent you doing this.
Can I collect health data in relation to COVID-19 about employees or from visitors to my organisation? What about health information ahead of a conference, or an event?
You have an obligation to protect your employees’ health, but that doesn’t necessarily mean you need to gather lots of information about them.
It’s reasonable to ask people to tell you if they have visited a particular country, or are experiencing COVID-19 symptoms.
You could ask visitors to consider government advice before they decide to come. And you could advise staff to call 111 if they are experiencing symptoms or have visited particular countries. This approach should help you to minimise the information you need to collect.
If that’s not enough and you still need to collect specific health data, don’t collect more than you need and ensure that any information collected is treated with the appropriate safeguards.
Can I share employees’ health information to authorities for public health purposes?
Yes. It’s unlikely your organisation will have to share information with authorities about specific individuals, but if it is necessary then data protection law won’t stop you from doing so.